.\" SPDX-License-Identifier: CC-BY-SA-4.0 or-later
.\" SPDX-FileCopyrightText: 2025 grommunio GmbH
.TH pop3 8gx "" "Gromox" "Gromox admin reference"
.SH Name
pop3 \(em Gromox POP3 server
.SH Authentication
The POP3 server supports impersonation; see imap(8gx) for details.
.SH Synopsis
\fBpop3\fP [\fB\-c\fP \fIconfig\fP]
.SH Options
.TP
\fB\-c\fP \fIconfig\fP
Read configuration directives from the given file. If this option is not
specified, /etc/gromox/pop3.cfg will be read if it exists.
.TP
\fB\-\-version\fP
Output version information and exit.
.TP
\fB\-?\fP
Display option summary.
.PP
All time-based command-line options and configuration file directives are
subject to the syntax described in gromox(7), section "Duration
specifications".
.SH Configuration directives (gromox.cfg)
The following directives are recognized when reading from
/etc/gromox/gromox.cfg, or when the \fB\-c\fP option is used to specify a
custom file:
.TP
\fBdaemons_fd_limit\fP
In gromox-pop3, this is treated as an alias for pop3_fd_limit.
.TP
\fBpop3_fd_limit\fP
Request that the file descriptor table be at least this large. The magic value
0 indicates that the system default hard limit (rlim_max, cf. setrlimit(2))
should be used.
.br
Default: \fI0\fP
.TP
\fBpop3_accept_haproxy\fP
This directive sets the expectation for incoming connections to carry haproxy's
"PROXY" protocol extension version 2 (2), or no such header (0). When a
(reverse) proxy is placed in front of gromox\-pop3, the address that gxpop3
normally sees is the proxy address (e.g. ::1). A proxy can use this protocol
extension to convey the actual client address, and gxpop3 can pick this up for
its own reporting, which in turn is useful for e.g. fail2ban setups.
.br
Default: \fI0\fP
.SH Configuration directives (pop3.cfg)
The following directives are recognized when reading from /etc/gromox/pop3.cfg,
or when the \fB\-c\fP option is used to specify a custom file:
.TP
\fBblock_interval_auths\fP
The amount of time a user is blocked from connecting to the service after too
many failed logins.
.br
Default: \fI1 minute\fP
.TP
\fBconfig_file_path\fP
Colon-separated list of directories which will be scanned when locating further
configuration files, especially those used by subcomponent instances. (For
example, mysql_adaptor(4gx) would be directed to look at
/etc/gromox/pop3/mysql_adaptor.cfg before /etc/gromox/mysql_adaptor.cfg.)
.br
Default: \fI/etc/gromox/pop3:/etc/gromox\fP
.TP
\fBcontext_average_mem\fP
Default: \fI256K\fP
.TP
\fBcontext_average_units\fP
Lower clamp is 256.
.br
Default: \fI1024\fP
.TP
\fBcontext_max_mem\fP
Network buffer per client.
.br
Default: \fI2M\fP
.TP
\fBcontext_num\fP
Default: \fI200\fP
.TP
\fBdata_file_path\fP
Colon-separated list of directories in which static data files will be
searched.
.br
Default: \fI/usr/share/gromox/pop3\fP
.TP
\fBenable_capa_implementation\fP
When enabled, the server will include an "IMPLEMENTATION" line in the CAPA
response (RFC 2449 §6.9). This is disabled by default, as it can facilitate
potential attackers' information gathering.
.br
Default: \fIno\fP
.TP
\fBhost_id\fP
A unique identifier for this system. It is used in the POP3 protocol greeting
lines (positive as well as negative). The identifier should only use characters
allowed for hostnames.
.br
Default: (system hostname)
.TP
\fBpop3_auth_times\fP
The number of login tries a user is allowed before the account is blocked.
.br
Default: \fI3\fP
.TP
\fBpop3_certificate_passwd\fP
The password to unlock TLS certificates.
.br
Default: (unset)
.TP
\fBpop3_certificate_path\fP
A colon-separated list of TLS certificate files. The complete certificate chain
should be present (as there is no other config directive to pull CA certs in,
and implicit loading from system directories is not guaranteed by Gromox).
.br
Default: (unset)
.TP
\fBpop3_cmd_debug\fP
Log every incoming POP3 command and the return code of the operation in a
minimal fashion to stderr (not pop3_log_file!). Level 1 emits commands that
have failed execution, level 2 emits all commands.
.br
Default: \fI0\fP
.TP
\fBpop3_conn_timeout\fP
If a POP3 connection is inactive for the given period, the connection is
terminated.
.br
Default: \fI3 minutes\fP
.TP
\fBpop3_force_tls\fP
This flag controls whether clients must utilize TLS, either by way of implicit
TLS (cf. \fBpop3_listen_tls_port\fP), or through the STLS command.
.br
Default: \fIfalse\fP
.TP
\fBpop3_listen_addr\fP
AF_INET6 socket address to bind the POP3 service to.
.br
Default: \fI::\fP
.TP
\fBpop3_listen_port\fP
The TCP port to expose the POP3 protocol service on. (The IP address is fixed
to the wildcard address.)
.br
Default: \fI110\fP
.TP
\fBpop3_listen_tls_port\fP
The TCP port to expose implicit-TLS POP3 protocol service (POP3S) on. (The IP
address is fixed to the wildcard address.)
.br
Default: (unset)
.TP
\fBpop3_log_file\fP
Target for log messages here. Special values: "\fI-\fP" (stderr/syslog
depending on parent PID) or "\fIsyslog\fP" are recognized.
.br
Default: \fI-\fP (auto)
.TP
\fBpop3_log_level\fP
Maximum verbosity of logging. 1=crit, 2=error, 3=warn, 4=notice, 5=info, 6=debug.
.br
Default: \fI4\fP (notice)
.TP
\fBpop3_private_key_path\fP
A colon-separated list of TLS certificate private key files.
.br
Default: (unset)
.TP
\fBpop3_support_tls\fP
This flag controls the offering of TLS modes. This affects both the implicit TLS
port as well as the advertisement of the STARTTLS extension and availability of
the STLS command (RFC 2595) to clients.
.br
Default: \fIfalse\fP
.TP
\fBpop3_thread_charge_num\fP
Connection load factor (oversubscription ratio) for a processing thread.
.br
Default: \fI40\fP
.TP
\fBpop3_thread_init_num\fP
The initial and also minimum number of client processing threads to keep
around. This is similar to php-fpm's start_servers/min_spare_servere. (The
maximum number of threads, i.e. what would be max_spare_servers, is determined
by: context_num divided by imap_thread_charge_num)
.br
Default: \fI5\fP
.TP
\fBrunning_identity\fP
An unprivileged user account to switch the process to after startup.
To inhibit the switch, assign the empty value.
.br
Default: \fIgromox\fP
.TP
\fBtls_min_proto\fP
The lowest TLS version to offer. Possible values are: \fBtls1.0\fP,
\fBtls1.1\fP, \fBtls1.2\fP, and, if supported by the system, \fBtls1.3\fP.
.br
Default: \fItls1.2\fP
.SH Files
.IP \(bu 4
\fIdata_file_path\fP/pop3_code.txt: Mapping from internal POP3 error codes to
textual descriptions.
.SH See also
\fBgromox\fP(7), \fBmidb_agent\fP(4gx)
